" hipaa compliance Archives - LuxSci

Posts Tagged ‘hipaa compliance’

How to Use ePHI to Segment and Personalize Email Marketing Campaigns

Tuesday, June 1st, 2021

Segmentation and personalization are powerful marketing tactics that are widely used across all industries. It is well-documented that marketers who send emails that are segmented and personalized experience much higher open and click rates. However, when healthcare marketers want to use these tactics, they must be aware of HIPAA! Any message that contains ePHI must be protected. In the past, these regulations made it difficult to send bulk marketing messages beyond generic office newsletters. However, using ePHI to segment and personalize marketing campaigns is possible!

To leverage patient data and create highly engaging and effective email campaigns that do not compromise security, marketers must use a HIPAA-compliant email marketing solution. We will walk you through how to use ePHI to segment and personalize healthcare marketing emails and improve your patient engagement.

how to use ephi to segment and personalize emails

How to Use ePHI to Segment Email Lists

Every campaign starts with identifying the target audience. When you use segmentation, you simply break down your email list into smaller subsets based on shared characteristics. The benefit of segmenting a list based on shared data is that you can adjust your messaging to speak more directly to that group of customers. When you are using a HIPAA-compliant marketing solution, you can segment your list using any data that you have from your patients (make sure you obtain appropriate permissions and opt-ins first!), including ePHI.

Ways to Segment lists using ePHI

Some examples of ways you can break down your lists using ePHI include:

  • Demographic characteristics
    • Gender
    • Age
  • Geographic location
  • Primary care provider
  • Date of last visit
  • Reason for last visit
  • Sensitive medical information
    • Medical conditions
    • Treatment history

The possibilities are only limited by the data that you collect.

How to Use ePHI to Personalize Emails

Once you have identified who the email is going to, the next step for sending an engaging email is to personalize the content for that audience. Much like segmentation, the possibilities for personalizing emails are only limited by the data that you collect. Anything that you can do to make the email feel like it’s a 1:1 communication instead of a generic blast email will increase the likelihood that it will be opened and engaged with by your target.

How to Personalize Emails with ePHI

The most common way to personalize an email is by using the person’s name in the subject line or email greeting. However, personalization can go much deeper when you also segment the list with ePHI. When you narrow down your list, it is much easier to create campaigns that appeal to the audience with relevant content and targeted promotions. A good example would be offering free breast cancer screenings for women during October. Men would be unlikely to engage with that email, because the subject matter is not relevant to them. By sending the email to only women of a certain age bracket, you are likely to increase the response rate and not irritate others on your list by sending them unnecessary information.

Other ways you can personalize emails with ePHI include:

    • Using a unique “From” name (e.g. saying the email is from Dr. Jones, who is the patient’s PCP, instead using the name of the medical practice or billing department).
    • Providing program recommendations based on past behavior (recommending a support group for a specific condition).
    • Automating workflows based on behavior triggers (appointment reminders, pre- and post-op instructions, prescription refills, etc.).
    • Customizing the content based on data.

Segmentation and Personalization Example

Say we are auditing some patient data and realize that in our patient population, men at risk for diabetes are much less likely to schedule up a follow up appointment. As a result, this group is becoming much sicker than they otherwise would with early intervention. How can we reach this population? By using ePHI to segment and personalize an email campaign just for them.

First, we create a segment based on the pattern we observed: men who are over 40 with elevated A1C levels at their last test.

Then, the marketing team can create personalized content like blogs, white papers, or guides designed specifically to influence the segment’s behavior. One email in the campaign might look something like this:

“Dear [first name],

During your last visit on [last appointment date], your A1C levels were elevated, which indicates that you are at a higher risk of developing diabetes. Download our guide with nutritional advice and example meal plans designed to help control your blood sugar.”

Perhaps the nutritional guide mentioned in this email example has a call to action that invites readers to schedule a free consultation with a dietician to learn more about dietary changes they can make to prevent diabetes.

Likewise, by segmenting the audience, you can create personalized offers that are more likely to drive the behavior you want. In this example, maybe you offer discounted rounds of golf to anyone who joins a men’s diabetes support group.

Use Personalization Tags for Scalability

Best of all, with email marketing, you can create these emails at scale. You do not need to write individual emails to each of the patients that falls into this segment. You can use personalization tags to automatically pull in the information you have uploaded to the platform. As you see in the example above, where it says “[first name]” and “[last appointment date]” the platform will pull in the corresponding information tied to each unique email address, saving you time and improving your email performance. This is an advanced technique, but most email marketing platforms include this capability. Once again, make sure you are using a HIPAA-compliant platform before uploading any medical information.

Now you know how to use ePHI to Segment & Personalize emails- what’s next?

It’s important to find a vendor that will allow you to use these techniques without violating HIPAA. Many of the most common vendors like Constact Contact and Mailchimp are only quasi-compliant at best. Do your research, sign a BAA, and ask the right questions to ensure you can send ePHI in any email you send.

 

Can You Send ePHI in Insecure Emails and Texts with Mutual Consent?

Tuesday, April 27th, 2021

Email and text messaging are among the most common forms of business communication. However, if you are sending ePHI, regular texts and emails are off limits! If you are subject to HIPAA regulations, you will need mutual consent from your patients before sending ePHI insecurely via these methods.

This may seem frustrating because text and email are easy and switching to a secure service can feel like a lot of work. However, when ePHI is mishandled it can have significant repercussions. Personal information can be stolen, made public, and even used in fraud.

Text messaging and normal email carry significant risks to ePHI, because they aren’t designed to be secure. While it is best to only send ePHI over secure services, there may be instances where the patient wants to communicate over these insecure methods. Because of the risks, your organization needs signed mutual consent waivers to proceed with insecure communication.

Does HIPAA Allow Mutual Consent?

Read the rest of this post »

17 Questions To Ask Before Sending A HIPAA-Compliant Marketing Email

Tuesday, April 20th, 2021

You’ve just been told that your email marketing program is putting your company at risk of violating HIPAA. What now? If you want to continuing using email to communicate with patients, you must implement HIPAA-compliant email marketing.

Start by breaking down that goal into two components: becoming HIPAA-compliant and achieving your marketing objectives. Setting up HIPAA-compliant systems and procedures will ensure your patient data is protected. However, you don’t have to let your marketing objectives suffer for the sake of security. Implementing a HIPAA-compliant marketing program can actually help you achieve better marketing results.

Ask yourself these 17 questions to ensure your email marketing plan aligns with your business goals and HIPAA.

Read the rest of this post »

What is HIPAA-Compliant Email Marketing?

Tuesday, April 13th, 2021

Why does your organization need HIPAA-compliant email marketing? It’s simple. Email marketing is a tried and true marketing strategy that can deliver a major return on investment. Healthcare organizations can also benefit from email marketing, but they need to take steps to make sure their messages comply with HIPAA. 

HIPAA email marketing

When Should You Send HIPAA-Compliant Email Marketing?

A HIPAA-compliant email marketing platform is essential to use whenever your organization could be sending electronic protected health information (ePHI). This includes information that is both individually identifiable and relates to someone’s healthcare.

Individually identifiable information includes identifiers like a patient’s name, address, birth date, email address, social security number and much more. Not only does the definition of ePHI cover people’s past, present and future health conditions, but it also includes treatment provisions and billing details.

While anonymous health details or individual identifiers sent by themselves are not covered by the law, when the two are brought together you need to be careful and abide by HIPAA regulations. You will need a HIPAA-compliant email marketing service whenever you send ePHI, and if you think an email may not contain ePHI, it is still best to be cautious.

Examples of HIPAA-Compliant Email Marketing

A good example of an email blast that needs to comply with HIPAA is a newsletter sent to all of a clinic’s cancer patients. At first glance, you might think the email doesn’t not contain any specific PHI. However, upon closer look, it could end up violating HIPAA regulations.

Every email in this campaign contains a personal identifier- the patient’s email address. In this example, only cancer patients received the newsletter, which is also personal medical information. A hacker could infer that anyone who received this email has cancer, which is ePHI and protected under HIPAA. If you use a medical condition to segment email recipients, the email campaign must comply with HIPAA.

It can be difficult to determine if an email contains ePHI. If you sent the exact same newsletter to a list of all current and former patients of the medical clinic, it may or may not contain ePHI. There are a lot of gray areas and it can be difficult to determine if an email contains PHI. We recommend using HIPAA-compliant email marketing for any promotional materials to reduce the risk of violations. 

After reading this, you may be thinking that you should never use patient information to segment email lists. However, if you use a HIPAA-compliant email marketing solution, you can leverage ePHI to send much more effective messages. In the above example, cancer patients actively receiving treatment at your clinic are much more likely to be interested in your business updates. Targeted emails receive much higher open and click rates than those sent to a general list. Sending the right information to your patients at the right time is a very effective patient engagement strategy. 

HIPAA-Compliant Email Marketing Solutions

Finding the right HIPAA-compliant email marketing platform can be challenging. Most of the common vendors aren’t HIPAA-compliant at all. Others claim compliance and will sign BAAs to protect your information at rest, but still require you to not send anything sensitive via email.  Finding a provider that can suit your business needs and can also protect the actual email messages is difficult.

Thankfully, LuxSci’s Secure Marketing email platform has been designed to cater to both needs. Our platform was built with both security and compliance at the forefront. With Secure Marketing, send fully HIPAA-compliant email marketing messages to the right patients at the right time and receive a better return on your marketing investment.

Information Blocking Is Over – How Will It Affect Your Organization?

Tuesday, April 6th, 2021

Starting April 5, 2021, information blocking will no longer be allowed thanks to changes that were kicked off by 2016’s 21st Century Cures Act. In short, information blocking involves interfering with the exchange, access, or use of electronic health information.

There are many ways information can be “blocked,” but the term broadly refers to improperly restricting access to private health information. Information blocking can sometimes occur by misapplying the HIPAA Privacy Rule, but it is not always intentional. Poorly designed IT systems can also prevent patients from accessing important health information.

A Brief Background on Information Blocking

Congress passed the 21st Century Cures Act to modernize the health care system. With many hospitals and organizations adopting electronic medical records and other technology, the bill focused on improving the interoperability of technology and increasing patient access to their health information. The 21st Century Cures Act builds on HIPAA, which was passed in 1996 before the widespread adoption of online health technology. Under HIPAA, patients have the right to access and receive copies of their health information.

The Office of the National Coordinator for Health Information Technology (ONC) Cures Act Final Rule added exceptions and health IT certification requirements, but the Department of Health and Human Services postponed compliance requirements due to the pandemic. HHS set the new date for the information blocking provisions to begin on April 5, 2021.

What Is Information Blocking?

Information blocking is any practice that is likely to interfere with the use, access, or exchange of electronic health information. It applies to three specific groups:

  • Healthcare providers
  • Health IT developers of certified health IT.
  • Health information networks and health information exchanges

Examples include:

  • Improperly citing the HIPAA Privacy Rule as the reason for not sharing ePHI.
  • Imposing fees that make the exchange of information cost prohibitive.
  • Implementing technology in non-standard ways to limit the interoperability of the information.
  • Locking patients in to a particular technology or standard so that their health information is not portable.

Information Blocking Exceptions

There are eight separate categories of exceptions. The first group include exceptions that involve not fulfilling requests for access, exchange, or use:

  • Privacy
  • Security
  • Preventing harm
  • Infeasibility
  • Health IT performance

The second are exceptions that involve procedures for fulfilling requests for access, exchange, or use:

  • Licensing
  • Fees
  • Content and manner

In situations that meet these exceptions, interfering with the sharing, use, or access to health data is not considered information blocking. The categories are nuanced, so you should really refer to the link for specifics.

One basic example would be an IT department denying an information request during a natural disaster event that impacted a data center. It would not be feasible for an IT department to grant access during the outage and an exception may be granted. However, the entity needs to reply to the requester within 10 business days to explain why the request could not be fulfilled. Requests cannot be ignored.

Proposed Penalties

The Office of the Inspector General has not yet announced the finalized penalty. However, the proposed rule states that the maximum penalty for each violation would not exceed $1 million.

How to Prepare for the Information Blocking Changes

Starting on April 5, 2021, organizations that are responsible for compliance will need to ensure that they are not engaging in information blocking practices (unless covered by an exception).

If an organization is improperly restricting information, it will need to make technical and operational changes to stop the practice. This may include updating policies and business associate agreements to ensure that data is available when requested.

Depending on the technology utilized, ending the practice of information blocking may be a significant undertaking. If large overhauls to current governance standards and infrastructure are required, organizations should:

  • Develop an action plan that reviews requirements and establishes an appropriate governance structure.
  • Review access policies to meet the new requirements.
  • Set up a process for evaluating situations where the eight exceptions apply.
  • Give employees comprehensive training where appropriate.

The information blocking changes may help to facilitate a better healthcare environment, but they are also a significant undertaking for certain stakeholders. Managing them appropriately will require diligence and attention to bring about the best outcomes for patients, and to reduce the chances of facing penalties from violations.

LUXSCI